Forty Million Target Customers Affected By Data Breach

Do you shop at
Target? If so, you may want to pay extra attention to your credit and debit card bills during the next few months. According Krebs on Security, Target is investigating a data breach that has potentially affected millions of customer credit and debit cards. These sources say the breach appears to have begun around Black Friday 2013 and involves the theft of data stored on the magnetic strip of cards used at stores. The breach apparently extends to nearly all Target locations across the U.S.

UPDATE 9AM ET, Dec. 19: Target confirmed today that the data breach has affected 40 million customers. According to its statement, "Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident."

In a letter to customers, Target also warned that customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code) were stolen.

This obviously is not good news for Target and its customers, as the breach hit during some of the busiest shopping days of the year. While sources tell Krebs that the breach was initially thought to have occurred from just after Thanksgiving 2013 to Dec. 6, Target has confirmed that the credit and debit card data was stolen from customers who made purchases between Nov. 27 and Dec. 15, 2013.

Krebs explains that the type of data stolen — also known as "track data" — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs. To pull this off, malware was likely installed into Target's brick-and-mortar retail stores' POS systems, which then skimmed credit and debit card information. According to the New York Times, "To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company’s point-of-sale systems."

An anti-fraud analyst has made it clear the situation could not be any worse for Target and its customers, telling Krebs, "We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized."